High Fidelity Alerting Leveraging Adaptive Authentication

August 28, 2016

In the past few years, organizations have been experiencing monumental shifts. The headaches of in-house server rooms are waning in favor of the low-cost and flexible resources of the elastic cloud. Company-owned and company-managed personal devices are long gone, replaced by increasingly powerful and rapidly changing consumer devices. These shifts have shaken the concept of the traditional network perimeter to its very core. The edge of your network is increasingly difficult to define, as identities may carry it to data centers far beyond your control.
 
Traditional perimeter protection (firewalls, intrusion detection systems, anti-virus software, and so on) remains pertinent, but is clearly no longer sufficient to keep attackers from gaining access to corporate networks. Therefore, to protect themselves, organizations need a new paradigm: stop treating the edge of an organization’s network as the only perimeter, and expand our definition of perimeter to include identity.
 
What does it mean for an organization to treat identity as a perimeter? Given that attackers will inevitably breach outer defenses and gain a foothold, organizations need to shift their focus to the later phases of the attack lifecycle: they need to focus on detecting the use of stolen credentials and lateral movement. This is currently a significant blind spot for organizations, since most security products focus on the early phases of keeping attackers out of the network. It is difficult to detect attackers moving laterally because a skilled attacker knows how to blend in with normal user activity. According to incident response firm Mandiant, the mean time to detection today now sits at around 205 days, a staggeringly long amount of time for an attacker to go unchallenged inside your organization. However attackers breach an organization’s perimeter, they need one critical thing to successfully complete their mission: credentials.
 
Attackers can steal credentials from unsuspecting users through vulnerabilities in software, through brute force method, or they can obtain the password hash and pass it when required (a pass-the-hash attack). Any method enables attackers to masquerade as real users, blending in with the day-to-day noise of legitimate activity so they can move laterally without detection. In some case, attackers have the audacity to escalate their privileges — often by exploiting a vulnerability — and create their own credentials within the organization’s identity store.
 
Adaptive Authentication can help fill this blind spot. Adaptive Authentication gives you the perfect vantage point to observe and disrupt the credential seeking and lateral movement phases of the attack lifecycle. Moreover, by joining Adaptive Authentication information with other alerts in a security information and event management (SIEM) system, security practitioners can obtain a more complete view of an attack and write appropriate correlation rules to improve the organization’s security posture.
 
Correlation is key. One security event raises suspicion, but when that event is correlated with other security events, you have an incident. For example, an email threat detection device may alert you that a malicious binary was sent to a particular user in your organization. That alert, combined with an Adaptive Authentication alert attached to the credentials of that user, paints an increasingly likely image of a breach in its early stages. The fidelity of these security alerts can be further increased through the use of real-time threat intelligence, helping identify activity that is being launched from known malicious criminal infrastructure or anonymous proxy networks.
 
In addition, the rich data collected and analyzed by an Adaptive Authentication solution is extremely valuable during a security investigation and incident response. This data may include:
 
• The username associated with the identity
• The group membership associated with the identity 
• The IP address associated with the identity as it was presented in the authentication
• Attribution data associated with that IP address, such as its geographical location or classification (for example, an anonymous proxy or known malicious IP)
• The system that the identity was attempting to access
• The behavior profile(s) of the physical user associated with the identity
• The biometric profile(s) of the physical user associated with the identity
 
A timeline of this data can paint a clearer picture of the lifecycle of an attack. Forensic investigators can utilize it to analyze the attempted movement of attackers in order to scope the intrusion and determine motive. In addition, because this data is a window into user behavior, it can be analyzed by behavioral analysis products for anomalies.
 
Adaptive Authentication should fit into your security ecosystem, not only issuing alerts to your SIEM solution, but also enabling you to act upon those alerts in a meaningful way during an attack. Specifically, an authentication system should support a rich API allowing for rapid updates to an authentication policy specific to identities and systems being protected.
 
Identity has become a perimeter of its own, and should be treated like one. Defense of that perimeter is an absolute necessity in our evolving security landscape. Monitoring that perimeter provides valuable context to attacks as they unfold. To learn more about Adaptive Authentication and how it can improve your perimeter defenses, as well as how SecureAuth IdP can help you easily implement improved access control we suggest you read this whitepaper:  Defending Against Advanced Threats at the Identity Perimeter

  • Product: IdP

Ready for a Demo?

Eliminate identity-related breaches with SecureAuth!